Add back rancher/webhook-specific labels

[tomleb]

Issue: rancher/rancher#45231

Problem

Some labels are missing or wrong in the new webhook images built by GHA (docker buildx).

Some labels were previously added by drone via layers. An example can be seen here: rancher/rancher-webhook:v0.5.0-rc10. With this change, the labels still won't show up as layers, but you will be able to see them using docker image inspect <image>.

A comparison of images:

• rancher-webhook before GHA had the following labels:

$ docker image inspect docker.io/rancher/rancher-webhook:v0.5.0-rc10
                ...
                "org.opencontainers.image.created": "2024-06-28T14:50:11Z",
                "org.opencontainers.image.description": "A micro environment for containers based on the SLE Base Container Image.",
                "org.opencontainers.image.revision": "97679b88dd800c1cbad320721d721e4250fa7a91",
                "org.opencontainers.image.source": "https://github.com/rancher/webhook.git",
                "org.opencontainers.image.title": "SLE BCI 15 SP5 Micro",
                "org.opencontainers.image.url": "https://github.com/rancher/webhook",
                "org.opencontainers.image.vendor": "SUSE LLC",
                "org.opencontainers.image.version": "15.5.27.1",
                ...

• rancher-webhook after GHA but without this change:

$ docker image inspect docker.io/rancher/rancher-webhook:v0.5.0-rc11
                ...
                "org.opencontainers.image.created": "2024-06-27T14:10:02.404401630Z",
                "org.opencontainers.image.description": "A micro environment for containers based on the SLE Base Container Image.",
                "org.opencontainers.image.source": "https://sources.suse.com/SUSE:SLE-15-SP5:Update:CR/micro-image/e4aac607525a7db6d7cf18a0c10dfd29/",
                "org.opencontainers.image.title": "SLE BCI 15 SP5 Micro",
                "org.opencontainers.image.url": "https://www.suse.com/products/base-container-images/",
                "org.opencontainers.image.vendor": "SUSE LLC",
                "org.opencontainers.image.version": "15.5.27.1",
                ...

• rancher-webhook after GHA and with this change:

$ docker image inspect docker.io/tomleb/rancher-webhook:v0.0.2
                ...
                "org.opencontainers.image.created": "2024-07-04T14:16:24.357Z",
                "org.opencontainers.image.description": "Rancher webhook for Kubernetes",
                "org.opencontainers.image.licenses": "Apache-2.0",
                "org.opencontainers.image.revision": "4ed4310a68724fa404987f34c73a525fc05b2035",
                "org.opencontainers.image.source": "https://github.com/tomleb/rancher-webhook",
                "org.opencontainers.image.title": "rancher-webhook",
                "org.opencontainers.image.url": "https://github.com/tomleb/rancher-webhook",
                "org.opencontainers.image.vendor": "SUSE LLC",
                "org.opencontainers.image.version": "v0.0.2",
                ...

We can observe the following:

• A lot of labels previously referred to the labels of the BCI image (description, title, version)
• The license label wasn't there
• metadata action doesn't add a .git suffix to the source label, drone did

It seems pretty straightforward to pick and choose which label we want to override from the base BCI image, we just gotta decide on which.

[ericpromislow]

Looks fine, based on the slack thread where Tom showed the metadata in drone, GHA before this PR, and GHA with this PR. I'm wondering if adding sbom: true to docker/build-push-action makes a positive difference, but am happy with this change.

[tomleb]

A bit more information.

The set of labels added by metadata-action (and the old drone plugin as well) comes from the pre-defined set of annotations in the OCI standard: https://github.com/opencontainers/image-spec/blob/main/annotations.md#pre-defined-annotation-keys.

The metadata-action GHA doesn't document how it gets its information but we can just look at the code: https://github.com/docker/metadata-action/blob/master/src/meta.ts#L479-L487.

[tomleb]

Looks fine, based on the slack thread where Tom showed the metadata in drone, GHA before this PR, and GHA with this PR. I'm wondering if adding sbom: true to docker/build-push-action makes a positive difference, but am happy with this change.

@ericpromislow I have tested without labels: .. and with just sbom: true here: https://github.com/tomleb/rancher-webhook/actions/runs/9808811573/job/27085435845 You can have a look at the resulting image here: https://hub.docker.com/layers/tomleb/rancher-webhook/v0.0.1/images/sha256-c4fd948426ebfb85a87c7036e329eb1f6aa38e4b6fe41abc42c59093aba5a8db?context=explore.

[ericpromislow]

LGTM - The test run with sbom: true only shows this way is better.